Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-552

JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Resolved
    • Affects Version/s: 1.2.4
    • Fix Version/s: 1.5.0
    • Component/s: None
    • Labels:
      None

      Description

      The org.apache.shiro.realm.jdbc.JdbcRealm class, when configured with SaltStyle.COLUMN, assumes that password column is Base64 but salt column is utf8 bytes.

      The password is returned as a char[] (see JdbcRealm.java:241), which org.apache.shiro.authc.credential.HashedCredentialsMatcher (see HashedCredentialsMatcher.java:353):

              if (credentials instanceof String || credentials instanceof char[]) {
                  //account.credentials were a char[] or String, so
                  //we need to do text decoding first:
                  if (isStoredCredentialsHexEncoded()) {
                      storedBytes = Hex.decode(storedBytes);
                  } else {
                      storedBytes = Base64.decode(storedBytes);
                  }
              }
      

      However, the salt is returned as a ByteSource, by converting the DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:

                  if (salt != null) {
                      info.setCredentialsSalt(ByteSource.Util.bytes(salt));
                  }
      

      This is broken and inconsistent.

      Not all salt byte[]s are valid UTF8 strings, so the default assumption should be that the salt column is Base64 encoded.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              richard.bradley Richard Bradley
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 10m
                10m